Creating a Domain in AWS using EC2 classic security groups

The first step is to create a security group or groups.

For this demonstration I am creating one security group and I am provisioning one Domain Controller and one member server which I am joining to the domain example.local.

You could create more than one security group but you would then need to create routes between them.

To create a security group open the EC2 Dashboard click on Security Groups and then click Create Security Group

Screen Shot 2014-07-11 at 11.42.06 am


Create a meaningful Name for the Security group and an optional description. Then click on add rule.

The first rule should be to create an RDP session to your ip address or subnet as the case may be it is best not to allow everybody RDP access.

Then click create


If you have a dynamically assigned IP address you can still do this just remember to alter the security group rule to My IP whenever you need to.


Instances that are in the same security group have full access to each other so there should be no need to create any more rules unless you have a specific need.

So now we need two instances. I am going to use spot instances as they are much cheaper. You should use whatever instance is right for you.

Requesting a spot instance go to Spot Requests and select Request Spot instances.


Select the spot instance you want in this case I am selecting 2012 R2 base


Choose an instance type that suits you and click Next


Enter an amount equal to or greater than the current price. In this case 2 cents an hour.


and click next

I am leaving storage at the default and clicking next


Add and appropriate tag or don’t


It is important to select the correct security group because you can not change it after the instance is built. (You can change the rules but not the security group). If you miss this step you might as well start again.


Check your setting and click launch.


select a pem file and click request spot instance.


Repeat this process to build the member server. Make sure you select the same security group.

Wait a while while these requests are fulfilled.

when the instances are fulfilled.


Click on instances and when 2/2 checks are complete you can get the password and log on to the servers.


Click on your instance and click connect


Then click get password

Click on choose path navigate to where your pem file is click ok


Then click Decrypt Password


At this point I like to copy the Public DNS username and Password to notepad so that I can quickly copy and paste from there.

Public DNS
User name Administrator
Password @H.Fp*uFjD;

Do the same for the other server and log on with RDP using the credentials provided.

Now promote the domain controller.

After the domain controller is online log on to it and collect it’s private IP address.

Log on to the member server.

It is a good idea to rename it something logical use the powershell command

Rename-Computer MS01 -Restart

If you want to do that the fastest way.


From the Member Server test connectivity to the DC.

In this case it did not work until I created a firewall rule in the security group

With EC2 classic you don’t really have any control over what private IP address they give you so to cover the entire 10.X.X.X range I used as my custom IP subnet.


As I don’t care what traffic travels between my two servers I have chosen 10.anything for all TCP, UDP, and ICMP.

Now I can ping the DC by IP address but not the FQDN

PS C:\Users\Administrator> ping dc01
Ping request could not find host dc01. Please check the name and try again.
PS C:\Users\Administrator> ping dc01.example.local
Ping request could not find host dc01.example.local. Please check the name and try again.

To do this you need to adjust the network settings on the network adapter.






It is tempting to just assign a static IP address. DO NOT DO THAT you will lose your connection and you will have to terminate your instance and start again.

what to do here is do ipconfig /all to find out the assigned DNS server and make a note of the IP address of your domain controller.

Click Use the following DNS server addresses radio button and for prefered DNS server use your DC and as alternate use Amazons DNS server.



Now you should be able to ping using the DNS name.




Now you are ready to join the domain.


PS C:\Users\Administrator> Add-Computer -DomainName example.local

cmdlet Add-Computer at command pipeline position 1
Supply values for the following parameters:
WARNING: The changes will take effect after you restart the computer MS01.
PS C:\Users\Administrator> Restart-Computer

And now the Server has joined the Domain.

If you prefer to use the GUI you can do it this way.